How do I define a password policy in LDAP?

Where am I?

How do I define a password policy in LDAP?

Changing the default password hash algorithm

(Tested on RHEL6. For RHEL7 some steps may not be valid)

passwd-hash configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). This allows the directory server to handle hashing instead of the client. The password hash to use for new passwords must be one of SSHA, SHA, SMD5, MD5, CRYPT, and CLEARTEXT. When the password-hash directive is not specified, the default is SSHA.

Including this option in the configuration file conforms to best practices and will be specified in this guide using the SSHA hashing algorithm.

# Set password hashing algorithm to use by default
password-hash {CRYPT}
password-crypt-salt-format "$6$%.12s"

The salt format here is '$6$' which invokes a SHA512-based hash method and provides 12 characters (72 bits) of salt. It uses the default 5000 iterations. The table on Hashcat's home page suggests that this is around 50,000 times stronger than the simple SSHA1 hash.

More on password policies

The user is allowed to change his own password. Note that the directory ACLs for this attribute can also affect this ability (pwdAllowUserChange: TRUE).

The name of the password attribute is "userPassword" (pwdAttribute: userPassword). Note that this is the only value that is accepted by OpenLDAP for this attribute.

The server will check the syntax of the password. If the server is unable to check the syntax (i.e., it was hashed or otherwise encoded by the client) it will return an error refusing the password (pwdCheckQuality: 2).

When a client includes the Password Policy Request control with a bind request, the server will respond with a password expiration warning if it is going to expire in ten minutes or less (pwdExpireWarning: 600). The warnings themselves are returned in a Password Policy Response control.

When the password for a DN has expired, the server will allow five additional "grace" logins (pwdGraceAuthNLimit: 5).

The server will maintain a history of the last five passwords that were used for a DN (pwdInHistory: 5).

The server will lock the account after the maximum number of failed bind attempts has been exceeded (pwdLockout: TRUE).

When the server has locked an account, the server will keep it locked until an administrator unlocks it (pwdLockoutDuration: 0)

The server will reset its failed bind count after a period of 30 seconds.

Passwords will not expire (pwdMaxAge: 0).

Passwords can be changed as often as desired (pwdMinAge: 0).

Passwords must be at least 5 characters in length (pwdMinLength: 5).

The password does not need to be changed at the first bind or when the administrator has reset the password (pwdMustChange: FALSE)

The current password does not need to be included with password change requests (pwdSafeModify: FALSE)

The server will only allow five failed binds in a row for a particular DN (pwdMaxFailure: 5).